1 / 15

Steps in the Transition to an Impact-Focused Audit Function

Steps in the Transition to an Impact-Focused Audit Function. Prioritizing audit based upon risk evaluation Gert van der Linde, World Bank Uganda, Kampala May 18, 2004. Imagine you are…. An independent non-executive director of a large commercial bank, serving on its Audit Committee….

ganya
Download Presentation

Steps in the Transition to an Impact-Focused Audit Function

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Steps in the Transition to an Impact-Focused Audit Function Prioritizing audit based upon risk evaluation Gert van der Linde, World Bank Uganda, Kampala May 18, 2004

  2. Imagine you are….. An independent non-executive director of a large commercial bank, serving on its Audit Committee…..

  3. Effectiveness Considerations • True independence • Have a good understanding of issues facing the organization • Be responsive to management’s needs • Be able to assess, advise and assure on the management of key business risks • Contribute to performance improvement • Be proactive in communication with management • Follow through on implementation of recommendations • Match the skill set to the needs • Use enabling technology and work smarter

  4. Imagine you are…the Chief Internal Auditor • 800+ audit assignments • 5 Audit Committee meetings per year • Different views and needs • Risk owners • SBU Management / Exco • Audit Committee • The past, present and future

  5. Case Study:Report to GACC

  6. 1 - Implementation of trading strategy 2 - Marketing of products / services 3 - Market / product liquidity 4 - Obtaining of credit approvals 5 - Security documentation 6 - Management of counterparty exposures 7 - Dealing and pricing systems 8 - Quoting of rates 9 - Trading 10 - Income generation 11 - Fee / commission structure 12 - Position revaluation 13 - VaR / Sensitivity Analysis TREASURY - AGRIS 6 = Risk area Risk Profile 32 20 15 16 53 14 17 21 19 13 31 22 23 24 25 18 33 48 26 42 34 35 36 37 38 39 40 41 50 43 44 51 46 47 49 29 45 52 62 56 57 58 59 60 70 61 63 64 65 66 67 68 69 71 73 55 80 81 75 76 77 78 79 30 82 72 83 84 85 86 87 88 54 74 11 10 9 8 7 Seriousness High Risk Areas 2 6 1 6 5 4 4 9 13 3 10 8 7 3 12 2 11 1 5 Medium Risk Areas 0 Low Risk Areas 1 2 3 5 6 0 4 7 8 9 10 11 Probability Delivered - a case study

  7. 6 = Risk area 11 10 9 8 7 Authorisation Verification 6 5 4 3 2 1 0 1 2 3 5 6 0 4 7 8 9 10 11 Delivered - a case study 1 - Implementation of trading strategy 2 - Marketing of products / services 3 - Market / product liquidity 4 - Obtaining of credit approvals 5 - Security documentation 6 - Management of counterparty exposures 7 - Dealing and pricing systems 8 - Quoting of rates 9 - Trading 10 - Income generation 11 - Fee / commission structure 12 - Position revaluation 13 - VaR / Sensitivity Analysis Significant Findings TREASURY - AGRIS Risk Profile Management of risks “unacceptable” due to system deficiencies, lack of resources and lack of segregation of duties 61 62 63 64 65 42 31 15 39 14 41 16 17 18 19 40 60 46 58 54 20 45 44 47 43 48 59 49 51 52 53 13 55 56 57 50 21 30 23 85 84 83 82 81 69 80 22 76 75 74 73 72 71 70 86 87 77 79 25 26 29 88 67 32 33 34 35 36 37 38 66 78 68 24 Authorisation Access Control Seriousness High Risk Areas 2 1 6 4 9 13 Incomplete data Reconciliation 10 8 7 3 12 11 5 Medium Risk Areas Low Risk Areas Authorisation Segregation Probability

  8. Case Study - Report to GACC

  9. Case Study:Report to GACC

  10. Case Study - Some Questions • Why “Agris”? Why not “Agris”? • Necessary to audit all the functional / risk areas? • Is our conclusion correct? Are the causes and effects well communicated, agreed and understood? • Did the control profile change since last audit? • What is the value at a strategic management level? • How does the control risk compare relative to other areas? Is the control risk financed? • Are all risk types analysed, managed and financed? • What should be reported to GACC? And to GRC? And how? • How do we measure IA value contribution?

  11. 1 - Implementation of trading strategy 2 - Marketing of products / services 3 - Market / product liquidity 4 - Obtaining of credit approvals 5 - Security documentation 6 - Management of counterparty exposures 7 - Dealing and pricing systems 8 - Quoting of rates 9 - Trading 10 - Income generation 11 - Fee / commission structure 12 - Position revaluation 13 - VaR / Sensitivity Analysis TREASURY - AGRIS 6 = Risk area Control Profile 32 20 15 16 53 14 17 21 19 13 31 22 23 24 25 18 33 48 26 42 34 35 36 37 38 39 40 41 50 43 44 51 46 47 49 29 45 52 62 56 57 58 59 60 70 61 63 64 65 66 67 68 69 71 73 55 80 81 75 76 77 78 79 30 82 72 83 84 85 86 87 88 54 74 11 10 9 8 7 Seriousness High Risk Areas 2 6 1 6 5 4 4 9 13 3 10 8 7 3 12 2 11 1 5 Medium Risk Areas 0 Low Risk Areas 1 2 3 5 6 0 4 7 8 9 10 11 Probability Possible Reporting Format?

  12. Reporting to Audit Committees

  13. Root Cause Analysis

  14. Managing the expectations KPMG on internal audit value - widest gap: • Having a good understanding of issues facing the organisation • UNDERSTAND THE BUSINESS AT ALL LEVELS • Being proactive in communication with management • TALK LIKE MANAGEMENT • Being able to assess and help manage related business risk • THINK LIKE MANAGEMENT AT ALL LEVELS • Being proactive in meeting senior management’s needs • BE A SOLUTION PROVIDER • Working effectively with all units or divisions • MANAGE YOUR RELATIONSHIPS • Contributing to performance improvement • WHAT GETS MEASURED GETS DONE

  15. Steps in the Transition to an Impact-Focused Audit Function Prioritizing audit based upon risk evaluation Questions?

More Related